I changed my Facebook password a few days ago. Today, I entered the old password chronically, and saw the prompt:

Sorry! You Entered An Old Password

And even shows the date&time when I changed the password. What's more if I use the same network , it will also prompt I change the password on the same network.

Indeed, this is a user-friendly prompt for those who forgot changing the password. But if hackers want to invade one's account, they could use social engineering and other methods to get one's information and then control the account. My question is:

Would this give away some personal information or, even worse, made use by hackers? Is it proper?

3 Answers
3

I'd say it becomes a tradeoff - what is the risk of an attacker getting in with an old password, getting the message, getting a channel to the legitimate user, using a social engineering attack to get the legitimate password versus the risks/costs associated with users not getting this reminder, and instead contacting tech support, or forcing a password reset when a reminder would have helped.

I suspect in this case, it worked out that the benefits of the reminder outweighed the additional information. Particularly since it is likely that getting an old password for a user is as easy as getting a new password, so why spend the time getting to this message if you can just hack into the account?

See my answer. If a password was changed by someone who had the old password, the system should behave as though the old password never existed (a common reason for password change is fear of compromise). If, however, the password was changed via some other means, there may be significant benefit to informing someone who knows the old password that the account was accessed by someone who requested that the password be changed. If the user who knows the old password also knows that he didn't request the change, such notice would let him know his account has been compromised.
–
supercatFeb 2 '14 at 19:35

Is is fairly common to keep a password history in an authentication system. Remember, they are storing hashes/representations of your password, not your actual password and are comparing against those, so there is not a lot of risk of exposure or social engineering here. I guess there is a small risk here, that if an attacker is intercepting your network traffic and is MiTM (even on SSL) he will see your password and now its an old one, and can assume you are using the password on other sites. However, if your traffic is already being intercepted they will see the new password as well, and probably all of you other traffic.

The prompt saying when you changed the password does not pose a real security risk. This is so that way you determine if the last password change was performed by you, if you don't remember changing your password at that time, you should make sure to change it now and figure out how you were compromised. As for the local network or computer, its probably just using your public IP address; if you are behind a home router (using NAT) all of your computers will appear to the Internet as the same IP. I am actually surprised it doesn't tell you your password was changed from another PC or network, I've seen Google warn me about attempted logins from IPs in other countries.

I am not sure where the social engineering issue is in this scenario - are you being asked questions like "What high school did you go to?" as a challenge question (e.g., something public or part of your Facebook profile?).

If there's any possibility that an impostor might request a new password on someone's behalf, failure to inform a user who had the old (legitimate) password could allow a security breach to go undetected.
–
supercatFeb 2 '14 at 19:36

With many systems, a user who forgets his password may authenticate himself via some other means and assign a new password. Unfortunately, in many cases, it's possible for an impostor to use those "other means" to authenticate himself and change the password of the account so that he (the impostor) can access it but the original user cannot. If the legitimate user's next attempt to log in with the password he had set earlier simply said "Incorrect password", the legitimate user might (wrongly) believe that he had forgotten his password and never realize that the account had been compromised. Informing the user that the password was changed when he himself hadn't changed it would provide notice that the account had been hacked. The value of such notice could in many cases substantially exceed any security risk it might pose.